ProverCoderAI
diff --git a/‎packages/api/src/api/contracts.ts‎
Lines changed: 16 additions & 0 deletions b/‎packages/api/src/api/contracts.ts‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎packages/api/src/api/schema.ts‎
Lines changed: 11 additions & 0 deletions b/‎packages/api/src/api/schema.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎packages/api/src/http.ts‎
Lines changed: 37 additions & 1 deletion b/‎packages/api/src/http.ts‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎packages/api/src/services/auth.ts‎
Lines changed: 112 additions & 1 deletion b/‎packages/api/src/services/auth.ts‎
Lines changed: 112 additions & 1 deletion
diff --git a/‎packages/api/tests/auth.test.ts‎
Lines changed: 78 additions & 1 deletion b/‎packages/api/tests/auth.test.ts‎
Lines changed: 78 additions & 1 deletion
@@ -50,6 +50,22 @@ export type GithubAuthLogoutRequest = {
   readonly label?: string | null | undefined
 }
 
+export type CodexAuthImportRequest = {
+  readonly label?: string | null | undefined
+  readonly authText: string
+}
+
+export type CodexAuthStatus = {
+  readonly label: string
+  readonly message: string
+  readonly present: boolean
+  readonly authPath: string
+}
+
+export type CodexAuthLogoutRequest = {
+  readonly label?: string | null | undefined
+}
+
 export type ApplyAllRequest = {
   readonly activeOnly?: boolean | undefined
 }
 
@@ -48,6 +48,15 @@ export const GithubAuthLogoutRequestSchema = Schema.Struct({
   label: OptionalNullableString
 })
 
+export const CodexAuthImportRequestSchema = Schema.Struct({
+  label: OptionalNullableString,
+  authText: Schema.String
+})
+
+export const CodexAuthLogoutRequestSchema = Schema.Struct({
+  label: OptionalNullableString
+})
+
 export const ApplyAllRequestSchema = Schema.Struct({
   activeOnly: OptionalBoolean
 })
@@ -108,6 +117,8 @@ export const AgentLogLineSchema = Schema.Struct({
 export type CreateProjectRequestInput = Schema.Schema.Type<typeof CreateProjectRequestSchema>
 export type GithubAuthLoginRequestInput = Schema.Schema.Type<typeof GithubAuthLoginRequestSchema>
 export type GithubAuthLogoutRequestInput = Schema.Schema.Type<typeof GithubAuthLogoutRequestSchema>
+export type CodexAuthImportRequestInput = Schema.Schema.Type<typeof CodexAuthImportRequestSchema>
+export type CodexAuthLogoutRequestInput = Schema.Schema.Type<typeof CodexAuthLogoutRequestSchema>
 export type ApplyAllRequestInput = Schema.Schema.Type<typeof ApplyAllRequestSchema>
 export type UpProjectRequestInput = Schema.Schema.Type<typeof UpProjectRequestSchema>
 export type CreateAgentRequestInput = Schema.Schema.Type<typeof CreateAgentRequestSchema>
 
@@ -12,6 +12,8 @@ import * as Schema from "effect/Schema"
 import { ApiAuthRequiredError, ApiBadRequestError, ApiConflictError, ApiInternalError, ApiNotFoundError, describeUnknown } from "./api/errors.js"
 import {
   ApplyAllRequestSchema,
+  CodexAuthImportRequestSchema,
+  CodexAuthLogoutRequestSchema,
   CreateAgentRequestSchema,
   CreateFollowRequestSchema,
   CreateProjectRequestSchema,
@@ -20,7 +22,14 @@ import {
   UpProjectRequestSchema
 } from "./api/schema.js"
 import { uiHtml, uiScript, uiStyles } from "./ui.js"
-import { loginGithubAuth, logoutGithubAuth, readGithubAuthStatus } from "./services/auth.js"
+import {
+  importCodexAuth,
+  loginGithubAuth,
+  logoutCodexAuth,
+  logoutGithubAuth,
+  readCodexAuthStatus,
+  readGithubAuthStatus
+} from "./services/auth.js"
 import { getAgent, getAgentAttachInfo, listAgents, readAgentLogs, startAgent, stopAgent } from "./services/agents.js"
 import { latestProjectCursor, listProjectEventsSince } from "./services/events.js"
 import {
@@ -149,6 +158,8 @@ const readCreateProjectRequest = () => HttpServerRequest.schemaBodyJson(CreatePr
 const readCreateFollowRequest = () => HttpServerRequest.schemaBodyJson(CreateFollowRequestSchema)
 const readGithubAuthLoginRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLoginRequestSchema)
 const readGithubAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLogoutRequestSchema)
+const readCodexAuthImportRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthImportRequestSchema)
+const readCodexAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthLogoutRequestSchema)
 const readApplyAllRequest = () => HttpServerRequest.schemaBodyJson(ApplyAllRequestSchema)
 const readUpProjectRequest = () =>
   HttpServerRequest.schemaBodyJson(UpProjectRequestSchema).pipe(
@@ -240,6 +251,31 @@ export const makeRouter = () => {
         return yield* _(jsonResponse({ ok: true, status }, 200))
       }).pipe(Effect.catchAll(errorResponse))
     ),
+    HttpRouter.get(
+      "/auth/codex/status",
+      Effect.gen(function*(_) {
+        const request = yield* _(HttpServerRequest.HttpServerRequest)
+        const label = new URL(request.url, "http://localhost").searchParams.get("label")
+        const status = yield* _(readCodexAuthStatus(label))
+        return yield* _(jsonResponse({ status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.post(
+      "/auth/codex/import",
+      Effect.gen(function*(_) {
+        const request = yield* _(readCodexAuthImportRequest())
+        const status = yield* _(importCodexAuth(request))
+        return yield* _(jsonResponse({ ok: true, status }, 201))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.post(
+      "/auth/codex/logout",
+      Effect.gen(function*(_) {
+        const request = yield* _(readCodexAuthLogoutRequest())
+        const status = yield* _(logoutCodexAuth(request))
+        return yield* _(jsonResponse({ ok: true, status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
     HttpRouter.get(
       "/federation/issues",
       Effect.sync(() => ({ issues: listFederationIssues() })).pipe(
 
@@ -10,20 +10,25 @@ import {
   resolveGithubCloneAuthToken
 } from "@effect-template/lib/usecases/github-token-preflight"
 import { validateGithubToken, type GithubTokenValidationResult } from "@effect-template/lib/usecases/github-token-validation"
+import { normalizeAccountLabel } from "@effect-template/lib/usecases/auth-helpers"
 import { resolvePathFromCwd } from "@effect-template/lib/usecases/path-helpers"
 import { Effect, Match } from "effect"
 
 import type {
+  CodexAuthImportRequest,
+  CodexAuthLogoutRequest,
+  CodexAuthStatus,
   GithubAuthLoginRequest,
   GithubAuthLogoutRequest,
   GithubAuthStatus,
   GithubAuthTokenStatus
 } from "../api/contracts.js"
-import { ApiAuthRequiredError } from "../api/errors.js"
+import { ApiAuthRequiredError, ApiBadRequestError } from "../api/errors.js"
 
 export const githubAuthRequiredCommand = "docker-git auth github login --web"
 export const githubAuthRequiredMessage = "GitHub authentication is required. Run: docker-git auth github login --web"
 export const githubAuthEnvGlobalPath = defaultTemplateConfig.envGlobalPath
+export const codexAuthPath = defaultTemplateConfig.codexAuthPath
 
 const githubTokenKey = "GITHUB_TOKEN"
 const githubTokenPrefix = "GITHUB_TOKEN__"
@@ -90,6 +95,29 @@ const resolveControllerEnvPath = (
 ): string =>
   resolvePathFromCwd(path, process.cwd(), envGlobalPath)
 
+const resolveControllerCodexPath = (path: Path.Path, authPath: string): string =>
+  resolvePathFromCwd(path, process.cwd(), authPath)
+
+const resolveCodexLabel = (label: string | null | undefined): string =>
+  normalizeAccountLabel(label ?? null, "default")
+
+const resolveCodexAccountPath = (
+  path: Path.Path,
+  authPath: string,
+  label: string | null | undefined
+): string => {
+  const basePath = resolveControllerCodexPath(path, authPath)
+  const normalizedLabel = resolveCodexLabel(label)
+  return normalizedLabel === "default" ? basePath : path.join(basePath, normalizedLabel)
+}
+
+const resolveCodexAuthFilePath = (
+  path: Path.Path,
+  authPath: string,
+  label: string | null | undefined
+): string =>
+  path.join(resolveCodexAccountPath(path, authPath, label), "auth.json")
+
 const readGithubAuthTokens = (
   envGlobalPath: string
 ): Effect.Effect<GithubAuthStatus, PlatformError, FileSystem.FileSystem | Path.Path> =>
@@ -144,6 +172,89 @@ export const logoutGithubAuth = (request: GithubAuthLogoutRequest) =>
     return yield* _(readGithubAuthTokens(githubAuthEnvGlobalPath))
   })
 
+const codexAuthStatus = (
+  present: boolean,
+  label: string,
+  authPath: string
+): CodexAuthStatus => ({
+  label,
+  message: present
+    ? "Codex auth imported into controller state."
+    : "Codex auth not found in controller state.",
+  present,
+  authPath
+})
+
+export const readCodexAuthStatus = (
+  label?: string | null | undefined
+): Effect.Effect<CodexAuthStatus, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const resolvedLabel = resolveCodexLabel(label)
+    const resolvedAuthPath = resolveCodexAuthFilePath(path, codexAuthPath, label)
+    const exists = yield* _(fs.exists(resolvedAuthPath))
+    if (!exists) {
+      return codexAuthStatus(false, resolvedLabel, resolvedAuthPath)
+    }
+
+    const info = yield* _(fs.stat(resolvedAuthPath))
+    if (info.type !== "File") {
+      return codexAuthStatus(false, resolvedLabel, resolvedAuthPath)
+    }
+
+    return codexAuthStatus(true, resolvedLabel, resolvedAuthPath)
+  })
+
+export const importCodexAuth = (
+  request: CodexAuthImportRequest
+): Effect.Effect<CodexAuthStatus, ApiBadRequestError | PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const resolvedAuthPath = resolveCodexAuthFilePath(path, codexAuthPath, request.label)
+    const parsed = yield* _(
+      Effect.try({
+        try: () => JSON.parse(request.authText),
+        catch: (cause) =>
+          new ApiBadRequestError({
+            message: "Invalid Codex auth JSON.",
+            details: cause
+          })
+      })
+    )
+
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return yield* _(
+        Effect.fail(
+          new ApiBadRequestError({
+            message: "Codex auth JSON must be an object."
+          })
+        )
+      )
+    }
+
+    yield* _(fs.makeDirectory(path.dirname(resolvedAuthPath), { recursive: true }))
+    yield* _(fs.writeFileString(resolvedAuthPath, JSON.stringify(parsed, null, 2)))
+    return yield* _(readCodexAuthStatus(request.label))
+  })
+
+export const logoutCodexAuth = (
+  request: CodexAuthLogoutRequest
+): Effect.Effect<CodexAuthStatus, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const resolvedAuthPath = resolveCodexAuthFilePath(path, codexAuthPath, request.label)
+    const exists = yield* _(fs.exists(resolvedAuthPath))
+
+    if (exists) {
+      yield* _(fs.remove(resolvedAuthPath))
+    }
+
+    return yield* _(readCodexAuthStatus(request.label))
+  })
+
 export const ensureGithubAuthForCreate = (config: {
   readonly repoUrl: string
   readonly gitTokenLabel?: string | undefined
 
@@ -6,7 +6,13 @@ import { Effect } from "effect"
 import { vi } from "vitest"
 
 import { ApiAuthRequiredError } from "../src/api/errors.js"
-import { ensureGithubAuthForCreate, readGithubAuthStatus } from "../src/services/auth.js"
+import {
+  ensureGithubAuthForCreate,
+  importCodexAuth,
+  logoutCodexAuth,
+  readCodexAuthStatus,
+  readGithubAuthStatus
+} from "../src/services/auth.js"
 import { createProjectFromRequest } from "../src/services/projects.js"
 
 const withTempDir = <A, E, R>(
@@ -185,4 +191,75 @@ describe("api auth", () => {
         )
       })
     ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("imports Codex auth into the controller-owned auth directory", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const authDir = path.join(projectsRoot, ".orch", "auth", "codex")
+        const authText = JSON.stringify({ openai: { type: "oauth", refresh: "refresh", access: "access" } }, null, 2)
+
+        yield* _(fs.makeDirectory(projectsRoot, { recursive: true }))
+
+        const status = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(
+              root,
+              importCodexAuth({ authText })
+            )
+          )
+        )
+
+        expect(status.present).toBe(true)
+        expect(status.authPath).toBe(path.join(authDir, "auth.json"))
+        expect(status.message).toBe("Codex auth imported into controller state.")
+
+        const fileText = yield* _(fs.readFileString(path.join(authDir, "auth.json")))
+        expect(fileText).toContain('"refresh": "refresh"')
+
+        const readStatus = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(root, readCodexAuthStatus())
+          )
+        )
+
+        expect(readStatus.present).toBe(true)
+        expect(readStatus.authPath).toBe(path.join(authDir, "auth.json"))
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("removes labeled Codex auth from controller state", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const labeledAuthDir = path.join(projectsRoot, ".orch", "auth", "codex", "team-a")
+        const authText = JSON.stringify({ tokens: { access_token: "access", refresh_token: "refresh" } }, null, 2)
+
+        yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(
+              root,
+              importCodexAuth({ label: "team-a", authText })
+            )
+          )
+        )
+
+        const removed = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(root, logoutCodexAuth({ label: "team-a" }))
+          )
+        )
+
+        expect(removed.present).toBe(false)
+        expect(removed.label).toBe("team-a")
+        expect(removed.authPath).toBe(path.join(labeledAuthDir, "auth.json"))
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
 })